sglMerchant does not adequately filter user-supplied input in the form of '../' sequences. It is possible for a remote attacker to construct a web request which will break out of wwwroot to browse the filesystem of the host. The attacker may exploit this issue to display arbitrary web-readable files.

The sensitive information contained in disclosed files may aid the attacker in making further, more educated attempts at fully compromising the host.